Details Revealed in Crash Reports

Thursday, February 20, 2014 @ 06:02 PM gHale

Houdini malware is now a part of a new attack of a mobile operator and government body, researchers said.

An attack targeting an unnamed mobile network operator and government body using the Houdini remote access Trojan (RAT) ended up discovered while researchers were testing a new detection strategy, said Websense ‎director of security research Alex Watson. He said the strategy involves researchers cross-referencing Microsoft application and software crash reports to spot attacks.

“Every time an application crashes it sends a report to Microsoft,” Watson said. “The report includes a variety of information about the app and the computer. This isn’t just application software data. It includes everything from information about the computer’s basic input/output system [BIOS], down to hardware changes. It will even let you know if someone’s plugged a USB or smartphone into the machine.”

“In general, this is so Microsoft can prioritize fixes, but we thought about using it for a different application and using the information to detect attack activity. We wanted to use it to make an anomaly detector.”

Watson said while testing the technique, Websense examined 16 million crash reports, five of which indicated potential foul play. He said the company discovered the attacks while examining the five potential positive alerts.

“We reversed exploits from the point of fail [crashes] and took in 16 million reports over four months from third-party feeds. Of these we found five matches, four of which indicated the possibility an exploit had tried to get into the networks. Upon further investigation we found two organizations had Houdini in their systems,” he said.

Houdini is a dangerous remote access Trojan that sees use for a variety of purposes. “Houdini opens the door for pretty much anything [a hacker] could want to do. It can be used for everything from installing password trackers, to grabbing information about the network or pulling files,” Watson said.

Watson said Websense also uncovered evidence of a new variant of the Zeus malware targeting a “large clothing retailer” located in the eastern United States. He said the crash logs used in the investigation indicated hackers had tried to infect the company with a similar malware to the Zeus Trojan.